Insights & Resources

Microsoft 365 is the productivity backbone for millions of businesses worldwide. Email, file storage, collaboration, video conferencing, and identity management all run through a single platform. But the convenience of having everything in one place creates a concentrated risk: if your Microsoft 365 tenant is misconfigured, attackers gain access to everything at once.

The problem is not that Microsoft 365 lacks security features. It has an extensive set of controls, many of which are included in standard business licenses. The problem is that most businesses deploy Microsoft 365 with default settings and never revisit the security configuration. Defaults are designed for ease of setup, not for protection against targeted attacks.

Here are the security settings that businesses most commonly get wrong and how to fix them.

1. Multi-Factor Authentication Is Not Enforced

This remains the single most impactful security gap in Microsoft 365 environments. Despite years of industry guidance, a significant percentage of business tenants still allow password-only authentication for some or all users.

Without MFA, a compromised password gives an attacker full access to a user’s email, files, Teams conversations, and any applications connected through single sign-on. Credential stuffing attacks, where attackers use passwords leaked from other breaches, succeed at alarming rates against accounts without MFA.

What to do:

• Enable Security Defaults or configure Conditional Access policies to require MFA for all users
• Prioritize MFA for administrator accounts, which should also use dedicated admin accounts separate from daily-use accounts
• Use the Microsoft Authenticator app or FIDO2 security keys rather than SMS-based MFA, which is vulnerable to SIM swapping
• Review the MFA registration report regularly to identify users who have not completed enrollment

The objection that MFA is inconvenient does not hold up against the reality that account compromise is the leading cause of business email compromise, data breaches, and ransomware deployment in cloud environments.

2. External Sharing Is Too Permissive

SharePoint and OneDrive make file sharing easy, sometimes too easy. Default sharing settings in many tenants allow users to create anonymous “Anyone with the link” sharing links that require no authentication. These links can be forwarded, posted publicly, or discovered by anyone who obtains the URL.

What to do:

• Change the default sharing link type from “Anyone” to “People in your organization” or “Specific people”
• Disable anonymous sharing links entirely if your business does not require them
• Set expiration dates on external sharing links, 30 days is a reasonable default
• Enable sharing auditing so you can review what has been shared externally
• Configure SharePoint site-level sharing policies for sites that contain sensitive data

External sharing is a legitimate business need, but it should be intentional and controlled, not the default behavior for every file and folder.

3. Email Authentication Records Are Incomplete

Email spoofing, where an attacker sends email that appears to come from your domain, is a primary tool in phishing and business email compromise attacks. Three DNS-based authentication protocols protect against spoofing: SPF, DKIM, and DMARC. Many businesses have SPF configured but lack DKIM and DMARC, or have DMARC set to a monitoring-only policy that does not actually block spoofed messages.

What to do:

• Verify your SPF record includes all legitimate sending sources and ends with -all (hard fail) rather than ~all (soft fail)
• Enable DKIM signing for your domain in the Microsoft 365 admin center
• Publish a DMARC record starting with p=quarantine and progress to p=reject once you have confirmed legitimate mail is passing authentication
• Monitor DMARC reports to identify unauthorized senders using your domain
• Configure anti-phishing policies in Microsoft Defender for Office 365 to protect against impersonation of your executives and brand

A properly configured DMARC policy with p=reject tells receiving mail servers to discard any email that fails authentication checks, effectively preventing attackers from spoofing your domain.

4. Audit Logging Is Not Enabled or Monitored

Microsoft 365 generates detailed audit logs that record user activity, administrator actions, and security events. These logs are essential for investigating security incidents, detecting compromised accounts, and meeting compliance requirements. But in many tenants, unified audit logging is not enabled, or it is enabled but no one reviews the data.

What to do:

• Verify that unified audit logging is turned on in the Microsoft Purview compliance portal
• Enable mailbox auditing for all mailboxes, which Microsoft now enables by default but should be verified
• Configure alert policies for high-risk activities: logins from unusual locations, mass file downloads, inbox rule creation, and mail forwarding rule changes
• Review sign-in logs weekly for failed authentication attempts, impossible travel detections, and sign-ins from unfamiliar IP addresses
• Retain audit logs for at least 90 days; consider longer retention for compliance requirements

Audit logs are only valuable if someone reviews them. Automated alerts reduce the burden by flagging the events that matter most, but periodic manual review catches patterns that automated rules might miss.

5. Legacy Authentication Protocols Are Still Allowed

Legacy authentication protocols like POP3, IMAP, and SMTP AUTH do not support multi-factor authentication. They authenticate with a username and password only, which means they bypass MFA even when MFA is enforced for modern authentication. Attackers specifically target legacy protocols because they know MFA will not block them.

What to do:

• Create a Conditional Access policy that blocks legacy authentication for all users
• Review the Azure AD sign-in logs to identify any applications or devices still using legacy protocols before blocking them
• Migrate any line-of-business applications that rely on legacy authentication to modern authentication methods
• Disable POP3 and IMAP access at the mailbox level for users who do not need it

Microsoft has been deprecating legacy authentication, but many tenants still allow it. Blocking legacy authentication is one of the highest-impact security changes you can make with minimal user disruption.

6. Admin Accounts Lack Proper Controls

Global administrator accounts have unrestricted access to every setting, every mailbox, and every file in your Microsoft 365 tenant. Despite this, many businesses use a single shared admin account, assign global admin to users who do not need it, or use admin accounts for daily email and web browsing.

What to do:

• Limit global administrator access to no more than 2-4 accounts
• Create dedicated admin accounts that are used only for administrative tasks, not for email or daily work
• Assign role-specific admin roles instead of global admin wherever possible (Exchange admin, SharePoint admin, User admin)
• Require MFA and Conditional Access policies that restrict admin sign-ins to compliant devices and trusted locations
• Enable Privileged Identity Management (PIM) if your license supports it, requiring just-in-time activation of admin roles

A compromised global admin account is the worst-case scenario in a Microsoft 365 environment. Every control you add to protect these accounts reduces the risk of a catastrophic breach.

7. Data Loss Prevention Policies Are Not Configured

Microsoft 365 includes data loss prevention (DLP) capabilities that can detect and prevent sensitive information from being shared inappropriately. DLP can identify credit card numbers, Social Security numbers, health records, and other sensitive data types in email, SharePoint, OneDrive, and Teams. Yet most SMB tenants have no DLP policies configured.

What to do:

• Start with built-in DLP policy templates for the data types most relevant to your business (financial data, health information, personally identifiable information)
• Configure policies to detect sensitive content in email messages, attachments, and shared files
• Begin with a “test mode” that logs policy matches without blocking content, then review the results before enabling enforcement
• Create policy tips that notify users when they are about to share sensitive content, giving them the opportunity to reconsider before the action is blocked
• Review DLP reports monthly to identify patterns and adjust policies as needed

DLP is not about restricting your team. It is about preventing accidental exposure of sensitive data, which is far more common than intentional data theft.

8. Conditional Access Policies Are Missing or Incomplete

Conditional Access is the policy engine that controls how and when users can access Microsoft 365 resources. It evaluates signals like user identity, device compliance, location, and risk level to make real-time access decisions. Without Conditional Access, every authenticated user gets the same level of access regardless of context.

What to do:

• Require MFA for all users as a baseline Conditional Access policy
• Block access from countries where your business does not operate
• Require compliant or hybrid Azure AD joined devices for access to sensitive applications
• Block legacy authentication protocols through Conditional Access
• Configure risk-based policies that require additional verification when Azure AD Identity Protection detects suspicious sign-in behavior
• Create a break-glass emergency access account that is excluded from Conditional Access policies but monitored closely

Conditional Access transforms Microsoft 365 security from a binary authenticated-or-not model to a context-aware system that adapts its requirements based on the risk of each access attempt.

Start With an Audit

The settings described above represent the most common and highest-impact misconfigurations in Microsoft 365 business tenants. Addressing them does not require enterprise-grade licenses or dedicated security staff. Most of these controls are available in Microsoft 365 Business Premium, and many are available in lower-tier plans.

The first step is understanding your current configuration. A Microsoft 365 security audit reviews your tenant settings against industry best practices and identifies the gaps that create the greatest risk. From there, remediation can be prioritized based on impact and effort.

JayTec Solutions provides Microsoft 365 management and security services for businesses that rely on the platform but lack the in-house expertise to configure it properly. From initial tenant hardening to ongoing monitoring and policy management, a properly secured Microsoft 365 environment protects your email, your data, and your business.

The tools are already in your subscription. The question is whether they are configured to protect you.